From: Emmanuel Thompson Date: Thu, 23 Sep 2021 20:54:58 +0000 (-0400) Subject: doc/quic: Add documentation for QUIC keywords X-Git-Tag: suricata-7.0.0-beta1~1007 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6641efb74f7a3a227b7b56a1253d0f0693097848;p=thirdparty%2Fsuricata.git doc/quic: Add documentation for QUIC keywords --- diff --git a/doc/userguide/rules/index.rst b/doc/userguide/rules/index.rst index b757ff0157..4ef87bdeb8 100644 --- a/doc/userguide/rules/index.rst +++ b/doc/userguide/rules/index.rst @@ -30,6 +30,7 @@ Suricata Rules mqtt-keywords ike-keywords http2-keywords + quic-keywords app-layer xbits thresholding diff --git a/doc/userguide/rules/quic-keywords.rst b/doc/userguide/rules/quic-keywords.rst new file mode 100644 index 0000000000..80bdd4ee6c --- /dev/null +++ b/doc/userguide/rules/quic-keywords.rst @@ -0,0 +1,50 @@ +Quic Keywords +============= + +Suricata implements initial support for Quic by parsing the Quic version. + +Suricata also derives a CYU hash for earlier versions of Quic. + +Quic app-layer parsing must be enabled in the Suricata config file (set 'app-layer.protocols.quic.enabled' to 'yes'). + +quic.cyu.hash +--------------- + +Match on the CYU hash + +Examples:: + + alert quic any any -> any any (msg:"QUIC CYU HASH"; \ + quic.cyu.hash; content:"7b3ceb1adc974ad360cfa634e8d0a730"; \ + sid:1;) + +quic.cyu.string +--------------- + +Match on the CYU string + +Examples:: + + alert quic any any -> any any (msg:"QUIC CYU STRING"; \ + quic.cyu.string; content:"46,PAD-SNI-VER-CCS-UAID-TCID-PDMD-SMHL-ICSL-NONP-MIDS-SCLS-CSCT-COPT-IRTT-CFCW-SFCW"; \ + sid:2;) + +quic.version +--------------- + +Match on the Quic header version + +Examples:: + + alert quic any any -> any any (msg:"QUIC VERSION"; \ + quic.version:1362113590; \ + sid:3;) + +Additional information +---------------------- + +More information on CYU Hash can be found here: +``_ + +More information on the protocol can be found here: +``_